Share via

3.2 Example 2: Applying Policy on the Group Policy Client

  • Article

The Group Policy client's interaction with the Group Policy server in policy application uses a pull model, in which the Group Policy client polls a Group Policy server to check for new user GPOs.

When the Group Policy client discovers the Group Policy server, the client performs two sets of queries to Active Directory on the Group Policy server using LDAP as a transport.

  • The first set of queries determines which GPOs have been assigned.

  • The second set of queries determines attributes of the relevant policies, discovers the location of the policy files, and determines any exclusionary WMI filtering for GPOs.

The Group Policy client then checks the link speed and processes any relevant filters to potentially filter down the collective list of extensions.

Lastly, CSEs read the relevant policy settings from the server that are stored in Active Directory and on the Group Policy file share, using LDAP or a file access protocol, respectively, and apply them.

This example maps to the use case specified in section 2.5.2, "Applying Group Policy".

Prerequisites

The following prerequisites apply to this example:

  • The Group Policy server is storing policy information.

  • The Group Policy client maintains a consistent configuration of policy information that is retrieved from the Group Policy server, which includes registry settings, WMI data, and RSoP data.

  • The Group Policy administrator ensures that the Group Policy client policy configuration aligns with business requirements.

  • The Group Policy client has discovered the Group Policy server and connected with Active Directory, as described in [MS-GPOL] section 3.2.5.1.1.

  • The Group Policy client has sent an LDAP BindRequest message, as specified in [RFC2251] section 4.2, to the Group Policy server, and the Group Policy server has replied with an LDAP BindResponse message, as described in [RFC2251] section 4.2.3.

  • In this scenario, it is assumed that the Group Policy file share resides on the Group Policy server.

Initial System State

The initial state of the Group Policy protocols corresponds to the previously specified prerequisites.

Final System State

The state of the Group Policy protocols and components after execution of this example can be described as follows:

  • The Group Policy client applied the appropriate user and computer policies that were retrieved from the Group Policy data store.

Sequence of events

The following diagram illustrates the message sequence that occurs when Group Policy is applied on the Group Policy client:

Group Policy client applies policy

Figure 12: Group Policy client applies policy

The message sequence for this example is as follows:

  1. The Group Policy client sends a series of LDAP requests to the Group Policy server to discover the policies that apply to the user and to the computer. For more information, see [MS-GPOL] sections 2.2.2, 2.2.3, and 3.2.5.1.3.

  2. The Group Policy server sends a series of LDAP replies to the Group Policy client that contain the policies that apply to the user and to the computer. For more information, see [MS-GPOL] sections 2.2.2, 2.2.3, and 3.2.5.1.3.

  3. The Group Policy client receives the list of policies and then sends an LDAP query to the Group Policy server to request specific attributes that define further filtering, the location of the policy file, and the precedence order for sequential application of policies and classes of settings. For more information, see [MS-GPOL] sections 2.2.4 and 3.2.5.1.5.

  4. Through an LDAP reply, the Group Policy server returns the list of attributes that the Group Policy client requested. The Group Policy client then invokes any extension settings that are defined as part of the returned attributes. For more information, see [MS-GPOL] section 2.2.4 and 3.2.5.1.5.

  5. The Group Policy client sends a file access request to the Group Policy file share on the Group Policy server to read the gpt.ini file that contains version information for the GPO. For more information, see [MS-GPOL] section 2.2.4.

  6. The version information from the file is returned to the Group Policy client in response to the file access request. The Group Policy client parses the file to check the GPO version.

  7. The Group Policy client sends an encrypted LDAP request to the Group Policy server to retrieve any WMI filters that apply to the GPOs in scope for the Group Policy client. For more information, see [MS-GPOL] sections 2.2.5 and 3.2.5.1.7.

  8. The Group Policy server sends an encrypted response back to the client with any relevant WMI filters that apply to the client. For more information, see [MS-GPOL] section 2.2.5.

  9. The Group Policy client might send a separate request to the Group Policy server to determine the link speed. For more information, see [MS-GPOL] sections 2.2.6 and 3.2.5.1.9.

  10. The Group Policy client receives a response from the Group Policy server that assists the Group Policy client in determining link speed. For more information, see [MS-GPOL] section 2.2.6.

  11. If a Group Policy update is required, the Group Policy client sends an LDAP request to the Group Policy server and a file access request to the Group Policy file share that stores the extension-specific policy settings. For more information, see [MS-GPOL] section 3.2.5.1.

  12. The Group Policy client then retrieves the requested settings and applies them. For more information, see [MS-GPOL] section 3.2.5.1.